The Uncertainty Relation for Smooth Entropies 
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Uncertainty relations give upper bounds on the accuracy by which the outcomes of two incompat- 
ible measurements can be predicted. While established uncertainty relations apply to cases where 
the predictions are based on purely classical data (e.g., a description of the system's state before 
measurement), an extended relation which remains valid in the presence of quantum information 
has been proposed recently [Berta et al, Nat. Phys. 6, 659 (2010)]. Here, we generalize this un- 
certainty relation to one formulated in terms of smooth entropies. Since these entropies measure 
operational quantities such as extractable secret key length, our uncertainty relation is of immediate 
practical use. To illustrate this, we show that it directly implies security of a family of quantum key 
distribution protocols including BB84. Our proof remains valid even if the measurement devices 
used in the experiment deviate arbitrarily from the theoretical model. 



Introduction. — Quantum mechanics has the peculiar 
property that, even if the state of a system is fully known, 
certain measurements will result in a random outcome. 
In other words, the information contained in the descrip- 
tion of a system's state is generally not sufficient to pre- 
dict measurement outcomes with certainty. Heisenberg's 
uncertainty principle [1] can be seen as a quantitative 
characterization of this property. 

We consider a quantum system, A, and two positive 
operator valued measurements (POVMs) acting on it, 
X with elements {M x }, and Z with elements {N z }. In its 
entropic version, as first proposed by Deutsch and later 
proved by Maassen and Uffink [2] and Krishna et al. [3], 
the uncertainty principle reads 



H(X\S) + £T(Z|S) >g. 



(1) 



H denotes the Shannon or von Neumann entropy and 
characterizes the uncertainty about the measurement 
outcomes X of X or Z of Z given any classical description, 
S, of the state of A before measurement [4]. (The most 
general classical description of A is a full characteriza- 
tion of its density matrix.) The bound, q, quantifies the 
"incompatibility" of the two measurements and is inde- 
pendent of the state of A before measurement [5] : 



q := log 2 — , where 



max 



(2) 



One may now consider an agent, who, instead of hold- 
ing a classical description S of A, has access to a quan- 
tum system, B, which is fully entangled with A. It is 
easy to verify that this agent can predict the outcome 
of any possible orthogonal measurement applied to A by 
performing a suitable measurement on his share of the 
entangled state. In other words, (1) is not valid in such 
a generalized scenario. However, as first conjectured by 
Renes and Boileau [4] , and later proved by Berta et al. [6] 
and Coles et al. [7], the relation 



holds in general, for two disjoint, not necessarily classical, 
systems B and C. If both systems contain only a classical 
description S of the state on A, we recover (1) [8]. 

To make the above statements more precise, let p A Bc 
be any quantum state on three systems A, B and C. After 
measuring A with respect to X and storing the outcome 
in a classical register, X, the joint state of X and the 
system B is given by [9] 



Pxb 



\x)(x\ <g) Tg, where 



tr A 



: (M x p ABC ) 



(The possible measurement outcomes of X are encoded in 
an orthonormal basis {\x}} and the probability of mea- 
suring x is given by tr(r^).) Similarly, we define p zc , 
where the measurement Z instead of X is applied to A 
and where we keep system C instead of B. The condi- 
tional von Neumann entropies in (3) are then evaluated 
for these states, i.e. H(X\B) = H(p XB ) — H(p B ). 

The main contribution of this work is to generalize (3) 
to smooth entropies [10, 11], which are generalizations 
of the von Neumann entropy. Crucially, in contrast to 
the latter, they characterize operational quantities be- 
yond the standard i.i.d. scenario [12]. For example, the 
smooth min-entropy of a random variable X conditioned 
on a system B, denoted H^ in (X\B) , corresponds to the 
number of bits contained in X that are e-close to uni- 
formly distributed and independent of the quantum sys- 
tem B, where e > is the smoothing parameter. Sim- 
ilarly the smooth max-entropy of Z conditioned on C, 
denoted H^^ZlC) , corresponds to the number of bits 
that are needed in order to reconstruct the value Z using 
the quantum system C up to a failure probability e. 

The generalized uncertainty relation reads 



^ in (X|B)+^ lax (Z|C) >q. 



(4) 



fl"(X|B) +J?(Z|C) > q 



(3) 



It implies most existing uncertainty relations for two in- 
compatible measurements [13]. In particular, it general- 
izes and strengthens an uncertainty relation derived via 
operational interpretations of the smooth entropies [14]. 
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We recover (3) by applying the entropic asymptotic 
equipartition property [15] to (4). Moreover, for e = 
and disregarding B and C, we find a generalization to 
POVMs of a result by Maassen and Uffink [2], bound- 
ing the uncertainty in terms of Rcnyi entropies [16] of 
order 1/2 and 00, namely H m (X) + H 1 ,{Z) > q. 

The uncertainty principle has provided intuition for 
various applications, in particular in cryptography. How- 
ever, previous uncertainty relations could not be applied 
directly, since the von Neumann entropy is often not the 
relevant measure of uncertainty. (See [6] for examples 
and a discussion.) Our uncertainty relation overcomes 
this limitation. Potential areas of application include en- 
tanglement witnessing, the bounded storage model [17] 
and quantum cryptography in general. 

As an example, we show that the relation naturally 
leads to a concise and general security proof for quantum 
key distribution (QKD) [18, 19]. When applied to prac- 
tical prepare-and-measure protocols, it yields a strictly 
stronger security claim than previously known proofs. In 
particular, non-trivial security bounds can be obtained 
for realistic choices of the parameters (such as the num- 
ber of exchanged signals). In addition, these bounds do 
not depend on the details of the measurement devices and 
are therefore maximally robust against imperfections in 
their implementation. 

Smooth Entropies. — For our purposes, quantum states 
are positive semi-definite operators with trace smaller or 
equal to 1 on a finite-dimensional Hilbert space. Given a 
state p A on (a Hilbert space) A, we say that p AB extends 
p A on B if tr B (Pab) = Pa- A purification is an extension of 
rank 1. We write p ~ £ t if the purified distance between 
p and t (which is defined as the minimum trace distance 
between purifications of p and r; see [20] for details) does 
not exceed s. 

We now define the smooth min- and max-entropy. Let 
e > and p AB be a bipartite state on A and B. The 
min-entropy of A given B is defined as 

H min {A\B) p := max sup {A e M : 2~ A 1 A <g> a B > p AB } , 

where a B is maximized over all states on B and 1 A is the 
identity operator on A. Furthermore, the e-smooth min- 
entropy is defined as i?^ in (A|B) p := maxp if min (A|B) p , 
where the optimization is over all states p AB ~ e p AB . 

The smooth max-entropy is its dual [20, 21] with re- 
gards to any purification p ABC of p AB in the sense that 

HLx(A|B) p := -i^ in (A|C) p . (5) 

We arc now ready to restate our uncertainty relation. 

Theorem 1. Let e > 0, let p ABC be a tri-partite quantum 
state and let X and 1 be two POVMs on A. Then, 

H^ n (X\B) p + H^(Z\C) p >q, 

where the entropies are evaluated using Px B and Pzc; 
spectively, and p XB , p zc and q are defined as above. 



Proof of the Main Result. — It will be helpful to de- 
scribe the two measurements in the Stincspring dilation 
picture as isometries followed by a partial trace. Let 
U be the isometry from A to A, X and X' given by 
U := J2 X \ x ) ® \ x ) ® y/Mx- The isometry stores two 
copies of the measurement outcome in the registers X and 
X' and the post-measurement state in A. Analogously, 
V := J2 Z \ z ) ® \ z ) ® VNz- Furthermore, we introduce the 
states Pxx'abc := Up A scU^ and p ZZ 'abc := Vp ABC V^, of 
which the post-measurement states appearing in Theo- 
rem 1, p XB and pzc, are marginals. 

We now proceed to prove the theorem for the special 
case where p ABC is pure and e = 0. 

The duality relation (5) applied to p ZZ ' ABC gives 

J ff max (Z|C) p + J ff min (Z|ZAB) p = 0. (6) 

Comparing (6) with the statement of the theorem, it re- 
mains to show that £f min (Z|Z'AB) p < ff min (X|B) p - q 
holds. By the definition of the min-entropy, we have 

if min (Z|Z'AB) p 

= max sup{A e K : 2~ A l z ® cr z / AB > p ZZ ' AB } 

"z'ab 

< maxsup{A e M : 2~ A cl x <g)(T B > p XB } (7) 

"z'ab 

= if min (X|B) p - g , 
where, in order to arrive at (7), we need to show that 

2~ A l z ® (T Z / AB > p zz ' AB 2 _A Cl x ® C7 B > Pxb • (8) 

For this, we apply the partial isometry W := UV^ 
followed by a partial trace over X' and A on both sides 
of the inequality on the left-hand side. This implies 

2- A tr x , A (VK(l z ® <7 z , AB )Wt) > p XB . (9) 

Moreover, substituting the definition of W, we find 

trx' A (V^(l z ® Cz'AB 

0~ z'AB )\z) (10) 

x,z 

<ct x <E>a B . (11) 

To get (10), we used the orthonormality of {la;)}^ and 
{|z)} z as well as the cyclicity of the partial trace over A. 
Moreover, in the last step, we used that 

^ Z M X ^/N~ Z = \ y/N~ z y/M^\ 2 < cl A . 

Finally, combining (11) with (9) establishes (8), conclud- 
ing the proof for e = and pure states. 

Next, we generalize this proof to e-smooth entropies. 
The purified distance used in the definition of the smooth 
entropies has some interesting properties [20] that we use 
in the following: (i) Let £ be any trace non-increasing 
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completely positive map (e.g. a partial isometry or a par- 
tial trace). Then, p w e r implies £(p) w £ £(t). (ii) Let 
/9 AB be a fixed extension of p A . Then, p A m E t a implies 
that there exists an extension t ab of r A that is e-close to 
p AB . Furthermore, if p AB is pure and |supp {r A }| < dimB, 
then t ab can be chosen pure. 

Let p zc f« £ p zc be a state that minimizes the smooth 
max-entropy, i.e. H^ a jZ\C) p = # max (Z|C)p. Using 
the properties of the purified distance discussed above, 
we introduce a purification /5 ZZ ' ABC , a state p~ xx > ABC ■— 
W Pzz'abcW^ and its marginal p XB , which are e-close to 
the corresponding states p. Applying the duality rela- 
tion (6) as well as the argument in (7) to p results in 
H max (Z\C)p + H min (X\B)^ > q, from which the claim fol- 
lows due to the maximization over close states used in 
the definition of the smooth min-entropy. 

Finally, to generalize the result to mixed states, we 
write down the uncertainty relation for a purification 
Pabcd of p ABC , i.e. #= in (X|B) + fff nax (Z|CD) > q. The 
claim is now a direct consequence of the data-processing 
inequality [20] establishing i^ lax (Z|CD) < H^{Z\C). 

Application to Quantum Key Distribution. — In the 
following, we consider practically relevant prepare-and- 
measure schemes such as BB84 [18]. In these schemes, 
one party, called Alice, prepares a sequence of non- 
orthogonal quantum states and sends them over a pub- 
lic quantum channel to a second party, Bob, who mea- 
sures these states. The correlated data gathered during 
this first phase of the protocol form the raw keys, from 
which Alice and Bob can then extract a final secret key by 
a classical post-processing procedure (requiring only lo- 
cal operations and communication over an authenticated 
channel) . 

Amid recent hacking attacks on commercial QKD 
systems [22, 23], it is important to point out that 
information-theoretic security proofs for quantum cryp- 
tography rely on several assumptions in addition to the 
validity of quantum mechanics. 1) The two parties, Alice 
an Bob, have access to genuine randomness. 2) The infor- 
mation that leaves each lab is restricted to what the pro- 
tocol allows. 3) The measurement devices work according 
to the specifications of the protocol. These assumptions 
are often not satisfied by realistic implementations. 

Our novel security proof allows us to drop Assump- 
tion 3, which concerns Bob's measurement device, com- 
pletely. Moreover, Assumption 2 can be weakened to 
allow for certain imperfections of Alice's state prepara- 
tion. The proof is based on the intuition, first formalized 
by Mayers [24] and captured by the uncertainty relation, 
that security of QKD can be derived from the fact that 
Alice has a choice between two incompatible bases for 
state preparation. The fact that Bob can accurately es- 
timate the states Alice prepared in both bases directly 
implies that an eavesdropper cannot. Furthermore, this 
implication holds independently of how Bob obtains his 
data, i.e., no assumption about Bob's measurement de- 



vice is required. 

The proof relies on two main ingredients: (i) the uncer- 
tainty relation (Theorem 1) and (ii) the following result 
that bounds the number of secret key bits that can be 
extracted from raw keys by classical post-processing. As- 
sume that Alice and Bob hold correlated data, X and X', 
about which an adversary may have information E. Then, 
Alice and Bob can employ a classical post-processing pro- 
cedure (usually consisting of an error correction scheme 
concatenated with a procedure called privacy amplifica- 
tion [25, 26]), which generates a shared secret key of 
length [27] 

£«^ in (X|E)-^ ax (X|X'). (12) 

(This can be seen as a single-shot version of the Devetak- 
Winter bound [28].) In other words, the length of the 
key that can be generated is essentially determined by 
the difference between the uncertainty that the adversary 
has about Alice's raw key X, measured in terms of the 
smooth min-entropy, and the uncertainty that Bob has 
about X, measured in terms of the smooth max-entropy. 

While the following arguments are rather general, we 
may for concreteness consider the BB84 protocol. For 
the purpose of the proof we use its entanglement-based 
version, which implies security of the original prepare- 
and-measure scheme [29]. Here, it is assumed that Alice 
and Bob start with an untrusted joint quantum state, 
p AB , from which they extract a secret key. This state is 
supposed to be a sequence of maximally entangled qubits 
but may, in the presence of an adversary or noise, be arbi- 
trarily corrupted. The protocol then proceeds as follows. 
First, Alice and Bob both measure each of these qubits 
with respect to a basis chosen at random from two pos- 
sibilities, X and Z, resulting in bit strings X (for Alice) 
and X' (for Bob). Next, they perform statistical tests 
on a few sample bits taken from X and X' in order to 
estimate the correlation. If this correlation is sufficiently 
large, they apply the above-mentioned post-processing 
procedure to turn their raw keys into a fully secret key 
of an appropriate length, I. Otherwise, if the estimated 
correlation is too small, they abort the protocol. 

To prove that this protocol produces a secret key, it 
suffices to verify that the entropy difference in (12) is 
positive under the condition that the raw keys passed the 
correlation test. The second term of (12), iJ^ ax (X|X'), 
directly depends on the correlation strength between the 
raw keys. For example, if X and X' consist of n bits, 
of which at most a fraction 5 disagree (according to the 
statistical test performed during the protocol), we have 

i^ ax (X|X') £ nh(5) , (13) 

where h(-) denotes the binary entropy and n is the num- 
ber of bits in the raw key. 

The first term in (12), iJ^ lin (X|E), depends on the cor- 
relations between X and the adversary's information E, 
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which is not accessible to Alice and Bob. The challenge 
is to bound these correlations from the data that is avail- 
able, namely the correlations between X and X'. This is 
exactly where our uncertainty relation steps in. 

Recall that, according to the protocol description, Al- 
ice and Bob measure each of their qubits with respect 
to one out of two different bases. One may now think 
of a hypothetical run of the protocol where Alice and 
Bob use the opposite basis choice for the measurement 
of each of their qubits, resulting in outcomes Y and Y', 
respectively. We may then apply our uncertainty rela- 
tion, which gives 

^ in (X|E) > qn - H^ X (Y\Y>) = qn - ^(X|X') , 

where q is evaluated for Alice's apparatus [30]. The last 
equality follows because the choice of basis was random 
for each qubit, and hence the correlation between Y and 
Y' is identical to the one between X and X'. Insert- 
ing this into (12) and using (13), we conclude that the 
protocol generates a secure key of length 



i(q-2h(6)) 



(14) 



We emphasize that, in contrast to security proofs based 
on previous versions of the uncertainty relation, e.g. [31] 
and [6], this security proof does not rely on additional 
arguments such as the post-selection technique [32], the 
de Finetti theorem [33] and the quantum asymptotic 
equipartition property [11, 15]. Employing these tools 
introduces additional terms in (14) that reduce the ex- 
tractable key length significantly for experimentally fea- 
sible values of n. Our proof technique will therefore lead 
to tighter finite- key bounds [34, 35] . 

Finally, we note that our approach is different 
from recent device-independent security proofs for 
entanglement-based protocols [19], which are based on 
a violation of Bell's theorem [36, 37]. In these proofs 
Assumption 3 applies to both parties and cannot be 
dropped instead, it may be replaced by the assumption 
that the measurement devices are memory less. 
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